Seventy-eight percent (78%) of 300 IT professionals at last month’s RSA Conference 2013 admitted to AhnLab that they had found, picked up and plugged in a USB flash drive found abandoned on the ground.
“I am utterly shocked at these figures,” said Brian Laing, VP of marketing and business development at AhnLab, Santa Clara. “For example, Stuxnet, one of the world’s most sophisticated cyber-attacks, gained access to its target system through a ‘found’ USB drive. The creators of the malware left infected USB drives near a uranium enrichment facility and someone picked it up and inserted it into their PC. Stuxnet derailed the efforts of that nation to purify nuclear materials at its facility.”
These latest figures show that leaving a flash stick lying around was not such a long-shot by the attackers – and it is probably still being used elsewhere. As recently as the latter part of last year an engineer inserted an infected stick into a personal computer being used to deliver upgrades to an ICS computer in the US. The system was down for upgrades at the time, but the subsequent infections delayed it coming back on line.
Sixty-eight percent (68%) of AhnLab’s respondents also admitted to having been involved in a breach either at home, at work or personally; and many could trace the breach back to the use of the abandoned flash drives. Analysis showed that these drives contained viruses, rootkits, bot executables, movies, music and other office documents.
It is time that security professionals should practice what they preach, says Laing. “This ‘it won’t happen to me’ attitude doesn’t wash,” he said. “It really does come down to the old mantra of combining people, process and technology – if you can get all three elements right, you are on track to a safe and secure environment.”
Security awareness training clearly shouldn't be limited to just the end user.